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71'a 

(An Analysis Technique for Encrypted Unknown Malicious. Scripts) 

o| ^ ^ ' ^ el s 

(Seong-uck Lee) (Man Pyo Hong) 
<^:^'^^^ <>?llr5ll<^]^<^ m 01:51 ^Efls] q^>a s^i- cfl^o^ 7|)^^s|sa^H 

S. :iiH^m ^EflS) o^>^J anol)^ ^^.^H, -^^^ 'S-:^^!- 7]^^0_s, ^ >JJ.A|^ 

""^^^ 7l»^oll cfltV ^^iajo] ^j^^ :|.s1-oj Afl^^ 7|,go^ ^^o^l -^c^^l-Tfl Cfl^^ei-fe Ajj^^ oj- 

Abstract Decryption of encrypted malicious scripts is essential in order to analyze the scripts and 
to determine whether they are malicious. An effective decr>'ption technique is one that is designed to 
consider the characteristics of the script languages rather than the specific encryption patterns. 
However, currently X-raying and emulation are not the proper techniques for the script because they 
were designed to decrypt binary malicious codes. In addition to that, heuristic techniques are unable 
to decrj'pt unknown script codes that use unknown encryption techniques. In this paper, we propose 
a new technique that will be able to decrypt malicious scripts based on analytical approach, we 
describe its implementation. 

Key words : computer virus, malicious code, script, encryption 



1. M E 

<aHVajo] o]olo||Al ovjLSKcncfN'ption)^ a 9]v\7} 
ce^jufx] pflAl^ll- *y5L^(encoding)3t^ 

(scrambling 9]^ wHe^^ 7] (scanner) 71- ^ 
^ ^>a:2Hfi) Aluq^Ksignature)!- #^1 ^^S-^ * 

H^a^ (legitimate program)!-^ "^^i ^Hf- 

JL Zl^o] c]v^ oj^Aj S^<^A^]% <q^Sfet|l o|^^cf[3]. 

•ol ?v^?iJ+-?-a^^?l 2l«8 ^^sl5a^ 

suIeeip@yaha>.co.kr 

mphong@ajou.ac.kr 
^^=34^: 200l\l 11^ 7«a 
-a^^a : 3002^ 6^ 12^ 



AjzLul^il- o]^^ <^^^^3.^ %-;^l ^^^^ Cfl- 7l^ol) 
-^^-s] ^El-uMel^(anti-vinis) <^le1^ a] 

^^(heuristic) "^jaelf^-i- ^^^V ^Eflyf ol^ 

^^^] ^^^<^ cfl-§.sf7] m<^. n^^3.B. m^} 

n^^^i^ fl(key) ik, 3elJL 

^^^^^^ ^>asHs. ^>8s)jL, >a«8 '^)<fl -f-^<^i 

^1- sfl^^ ^^3^:^ ^iHi- ^^lo. 

^H7f ^^2]. o]s. 

replication)!- ^ ^1)^^ ^'1 ^l-g-^H "^3. 



474 



: ^^^^ 4 29^4 5 51(2002.10) 



^-Bil'y(X-raymg)4 <^1- ell ol>a (emulation) 7|^o) <y- 
«4[41. aem-, o) «J-^#^ o}->a s 

^A^4 ^o|7^ O^g^;^ C^- ;g O.o^lo> 7,-^^ 

3^o\]A] A}^^ oVj^^ 7l^o) ^S. «}. 

7)^^S. ^>^S]J1 Sacf. a5ll4, °1 ^21:^^ 7] 

^de^ ^11^* "S-J:^ sflejo] ^v\€^ o]^ 

^lelt SX^ ^Hl- UH^I^::: ^^7loll ^7)-3rM^> 

eoii^ •a-^si- 7)^1:01 ^^^^fji siji, o] 

71^0] iH^E q^>33H >a>a7]ofl ^Tll^O.^.^ 

^ <a^7V o)^oi;t|j7 3)^31 ;g«j:oii >^fls. 

^ ""^m 7i«a^ t^^i ^711 ^^ 7]^ 

^ t^'^flAl^ ^;^] 7}:^^ go) frH£)j7 «l^<g 

>a^H7l- O)^^^ oV^^j. uVig^-g. xfl 7H -^^O,^ 

i^flivcf. 4^Joll^i^ ^]^]^ ^ 

7l#1}cf. 

2.1 7|^o| o^^sj o^^ §11^ :7|a 

1- >^|£(brute-force dLxro^ption)^^ ^t!-4. 

5^4 '^Jj^^ 7i»g4 Ainq^H cfl^ 



7V^^ £^ ^] oi^^i-oj AiaM^l7}- 44^ 4^ 

7^1^ 7># :gA>^aj o}.Aj ^ 

«)-^ 4^^SH4 ^^:£Sl- 71^4 S-^4 

*H ^I^O) ^<H^ ^°ll 7l-^i5)-H^, 

<fl'^Bll<^l>a 7l^^ a ^^o] 4^1*1^ 44 4 

^ ^«J4H, 3 37l7> nil o. 7]^^ 7l;floflA^ 

^H4 ^^-^-l- 4^j^H# 

si^i ^4. s.^ n^o] sHi- 

^<HM]^ *4^ 7}^^7]n]2\ A -a-^i- ^J-'^l^l- 

<^ -^^4 pl|H.4«fl 4 o|Aj. ^^7). ^oi4x] 
^ ^«3# 7j)^*H*=>f *]-4. >^la4^1 7i«}4 

^vxi w^>»a4 ^f-^H ^\%^\^ ^-f^H)^ ^]^4^l7f 
4^1^!: ^2-4 a:l-4 «fl^<^l n ^a] ofl^Bfl 

f^^^^i A]n4^1 4h# ^a)sh1 ^4 o) 

cfl^ j[4^oi4, ih^^mi- 4*> <=>l)^Blhl4 
<^)^(binary) ^^ofl uiej b^jej-g. ^o) ^ 

^<^)4. ^, '^mBllo)>y# 4^^1^ Cfl^^ 3H7f 

5L€- 7Hj-^0_^ nV^o) ^o]o): ^l-^d 

^, 5|I^V 3^Zl^ol]Al A^g-Sfe Zj-^ 7jj^4 

H4:ii ^^e^;^ «4[5]. S£^, <i>J^e 
4^(harm) «341- ^^1^^^ S^4^ 

4^^^^^ ^^sj-Til -^^3 ^14 M14# ^5. 

^^^(profi!ing)S|-^ 7]^^ AV§-t ^S. gl4. 

^^^i^?}- ^^fli-^ <ysfl, ^^11 4-^^ :^^a^H4 *ii^<^i 

4ai ^4. '^l^ 7ie4 4^*a Hllo]^ 
4-*^^^^ -a^fl 4^^^Hl- ^1-44 ^4^<H1 

^5}-^^ *i Oj-i- ^a^E <>}0l0llAl :a45]-^ 

"execute" ^^J-^ f-sfl ^^jAj^l^ tgEfl^. :fAjs|oi 
4. o)4^ ^ol^ >i3L^Eo|)A^ '•execute" 
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m m[6], nsIM-, o) ^o. ^js_o. c^^^ 

3fll!ol oil- ^]^^ ^ scf. ti). 

m mm <h^4^ ^wtd 54. 

(black-box)4 §^ ^Eflfil 7}^]Ji 

^ ^^<H]>^i^ <g•Jls^ 7i>a^ ^^n <^^<^i 









r— 2J» 2E2 


2i5s !?a 




























tt3A JIB 
















»£2I 385 &0 ^jg 






: 99 3 






(3E UOQ OXD) 







^^o]^. -R-^ 3^ ^ 
•^2) 1 : isn^ vfloll ^j^l^ %v>- pr). 

2l^>a<^l ^Cf" P\ ^^^o)cf"5fa «1-J1, 

^C).. / ifloflAl :Ssl £^ A)~g. 



ii) 2.^ =5.a^ vfl«^lAi, / ^#oii ^ 
'S^Cactual parameter)^ ^H^) ^^-^^ ^0^;^ 
<=>> «^7V oj:^];^ ^<^|^ ol^ ^S}. 

oj^Ajo] «^v/j^7l n^^ojcf, 

iii) ^^-g-(side effect)<^l ^^^^ 
# ^#*M<=>^ <^7H)A1 ^^-g-^ I/O Hfe 

2.^ «S^1- ^]^J«^^. 2)^21- 3J 

$>a<=>i «^ 4^ ^^^^ 
2i^>a^ ^+4^1 

^2l# 4^0.^ o^^i|. 7iiga) 

•^2) 2 : '^^j >i3^Hoj o^5^s|. 7ligo. cj^3). 

i ) -8-^ 1 : ^H2j ^^^7^ e^^n^v^i, <'\^<'\ ' 

^^^o] ^^oi]A-| 1- nfl, :^^^ol ^^^^^ 

2>2}- ^o] oj-AjsH. ^^71- sfM-fil ^x>'i 
5. <a-x^ sjcHo^^ a^oi) 
VBSA^BSWG.T^ ^a^Hoicf. «l^<a 

H11013] :tH^Eo] "execute" f^<H^ ^ 



(VBSA^BSVVG.T) 



Execute{snphhuatvsb!<wujC&Wcr/WcrvJ/H.Vnsl/@w doelgtobuhno'l) 

Function snphhuatvsbkwuj{2v/byjntbpmhqqgh) 

For wpzxfszonczrao = 1 To Len(zwbyjntbDmhqqgh} 

ccuhbhjhyzkheeq = Midlzwbyjntbpmhqqgh, wpzxfszonczrao. 0 
11 Asc{ccuhbhjhyzWieeq) = 7 Then 

ccuhbhjh^kheeq =Chr(34) 
End H 

If Asc(ccuhbhihyzkheeq) <> 35 and Asc(ccuhbhjhyzkheeq} <> 34 
Then 

If A5c(ccuhbhjhyzkheeq) Mod 2 » 0 Then 

ccuhbhjhyzkheeq = Chr(Asc(ccuhbhihyzkheeq) + 1) 

Else 

cajhbhj'hyzKheea = Chr(Asc(ccuhbhihyzkheeq) - 1) 
End If 
End W 

snphhuatvsbkwuj - snphhuatvsbkwuj & ccuhbhihyzkheeq 
Next 
End Function 
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¥ «^ <ii€ ^<=>] ^^.n^oflAi 

^a-^i^t?: ^^<^lc}-. o)e1t> ^^oj 
^iS^H^ ^l-M- a <^l>^s) sfls. ^4. 

-fiLt!: >^)^^^1 ^-fi-lV ^;^l.<goi sfls-sj- «VAjc.^ ^3)- 



(VBS/TripleSix) 

^ ^^-^ -^^tV 3fl^-i- 

H^Eoll ufl^sfecfl o]^-^o] n}H7jl a^iuf. 

^ £^ ^ -R-^<Hi ^0.5.^ -^^iv ^>a^ 

2.3 »aiXtX| Q(S o^£S( >^ilMO| «t|^ 

^o.D). o]e1^ 3)iJl5V7) ^sHA^^ aflTg. ^3^^ 

£si ^^^^^ ^n^^ ^ 



ej^. -^til^J ^H^H7l- <a-^S}-£l<H 

^ SHfe ojj^^ ej«.fi]. oj.-£ ^s- avigol o^^ 

;cj ^Cf. A]lf.7ll oj.>y ^co) ;§^o]]^ 

<^l^tl 4^ ^l<il :iia^Ho) ^.a^dVo.^ 

t^-^^ ^r)-^5l-€ ^^^^^1^ 

^M. Alls* 7l^o] ^^cj| cgtg: 

^y^<^ iflSl-oj ^ ^<^A1 

^ c)i>a- >i^^H7f •a-^^sia^;^!, oi.^ gjs. a 

^J-^^ § ^ Sit^ ^ch^^S. cfl^l^o.^>w| ?} 

# >^i-§-^i-7v ^A^^w n^m^ 

Sll JL^^<>A ^^*J=-S- ^711 S)JL, o)^ o]^ 

Mlfil S-^ ^4^-^01 nil ^ej Ajofcf 

•9 ^J-^^lAli ^Eil filH^v SHI- 4«*H<^> ^1-°^ 
o] ^He1;t]7il ul-Efvfcf. oie^^ 7]^ 

«o^^^^ 4^#tV 440] 0^^5^ o.^ofl C^S.a!f ^o] a) 

Hs. ^^«] ^4 cfl^is)-^ 

cSt!: J:#^(call expression)^ ^"r ^^^^<^1 7] 
Sl-^ <aS 4>fif ;y-cf. 

Sin ol;^^oV H>o o 

s. oi^ '»Efl«ii>^i 'y*!*}^^^ •a^M <^«ii>M * 



Set Roy = Maooie,CreateTextRle{Maooie.BuildPath(Maaoie.GetSpecialFolder 

(2).V(7594E44554D405E2458545"))Jrue) 
Roy.WriteUne(V{''E402') & Maooie,BulldPath(Maoaie.GetSpecialFolder{2). 

VC7594E44554O405E245O4051}) 
Roy.WrlteUnerE 0100" & H("4O5AE70163000I0006002406FFFF5FCC')) 
Roy.WriteUneCE OtiO" 4 HC000200000001FOFF5700000001325G4B')) 



Function V{Van) 

For Kirk - I To Len(Van) Step 2 

V = V & ChfC&h' & MkJNan.Kirk + I.l) & MidtVan.Kirk.1)) 
Next 

End Function 

Function H(Houten) 

For Luann = I To Len(Houten) Step 2 
H = H & " * & Mid(Houten.Luann.2) 

Next- 
End Function 
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^gj 23 2. 







a«8 ±3s^ 



S. 1 71^4 ;^]oy^ 7]^9] UlJ 



3^ 4 

^J^Hl Sa^cf^ ^Sn^ ^^i- f-efl UU-^l«y (Def- 
use chain)[7]^ ^^^^fJI, oio]) oj^^ ^^Iri ^a^] 

# ^ ns^uf. gc- c^j^^ ^;jo] 

I/O f- ^^1-8-* ^ ^^^<=>lBf^. <^l^o) o|. 

*5^U 'S^^ 4i:=^)7f sa^lM- I/0# -flV ^^^joj 

i>>^si- «}<^<^> ^t^, i^ei-Ai, 5.^3^<a%oii 

«J-^^-8: ^^*ae1 ^^flofl € 

4^ ^4(constant propagation)^ ^^.^5. ^ 

^^HAi^ ^^t^ ^^l-7f # Cl tg^^^Ti] ^o|£| 

<H<=»> ^Jl I/O ^S) «J-ia<H| Cfl^ ^ 

















1 


2 


1 


























A)?> 














7]^ 



3.1 tf^2| ^411 

11-^7)- ol^o) A]. 

-§-^lfe ^4^4 ^h4^<Hl clllV ^^01 o|-f.ol;?jo): ^ 



(sixxification)^l ^>^1^^^ ^^^^1 a 
<=H1^1 I/O ^s] -^^-g-o) g^i^ ^^^^ el^Hl- 4^ 

^fe <^i<Hi Ti^o): ^vcj.. 

SL^ ^^7} ^^Al^o.^ Aj«y^ jf: ^hs-^^ 

«lloI^ iiiH^Efi). qg-^ o}E]nH]El 7) 

Ai<a# ^>HAl ^^fecf. ^t.K 

MI-^oflA^ ;8s)£loj[cf «i.DlefH Dim ^^-i- f-efl 3^ 

ol ;.)^ ^4^<a# ^Aisj-x] ^o. 

^7) ^^M^ 4z|o) s.^ s^l- ;yAi. 
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^^4«|-a)^^;<l : ^^^^ 4 29^ ^5 ^(2002.10) 



m Vi^, F.S) S)^ <3^cHlAi A}^ 

Vi=^Ai-D, 



^, F,-fe ;H]fi|lV <g^<H)Ai ;^ 

51 A|-§-^ olccltl- ^^a1;5>7li4 >^^§-^W ^ 

h ^^^]^, S,-t^^-ir JI^^H ^!-o).g]7) 







£^ Ml-g- 


Var 
Tabic 


VarNamc 




Funcid 


ID. 

^ '^^^^ 0 s;t':>i ^0]^ 


isLocal 


^l^'S^o]^ true. false. 
(#^^ dim^S ^'^^ ^SL 
falsc°J) 


Func 
Tabic 


FuncNamc 




Funcid 


=11 ID 


islndcp 


^ll'^ ^^7} ^-^^4^^]^ true, ofq.^ 
false 



<^;^) 4>^ :L>4. 

name = ^ol-vfl "^^/^^^ 
curFunc = f^oj ^^S\ ID 

<^?11 2> IJ-o)-^ ^i§oj 45). cf^sl 

FuncTable<^l ^7>^c^. (islndep 
= true^ *^cf.) 

El]o)«.o|]Ai ^Vo]. 

islndep = falseS. t^cf. 

^4 ^tl Eljo]^ 

ojA-l ^vo). islndep = falser t-Vcf. 

Bl)o|^oi] name - VarNamc ^]SL 
curFunc = Funcid ^ 4^^} ^^'S 
. <=»l^-i- el)o]«.oi) 7)^tVcf. 
<^7j) 3> ^-^Ji-.7jl^^f7) <^7i] ^Vcf. 

<'d:7ll 4> no]^2\ s.^ ell^s.!- cfl^'b^o,^ 4 

isLocal = false ^^IJI VarName©! 

5fl^ Funcldl- ID^ sfe ^ 

^(VarTable-FuncId = FuncTable. 
Funcld)# El]o)«ojAi islndep 
= falser 7)^^cf. 
nl-ef^i oie]^ 2}.;^^ tI;^ ^ ^o]^^ 
islndep true^ y-^^f «-^7l. ;j>^ 

3.2 if^ :isHi|e 

:a-c. <q^^ ^ej^fe ^^V^^ ^>aSloj o^Cf. 

• m a 7i)«^ 5j ^1 

• ^# sin ^<aoii 
• 

' Ef^ «l-%(type handling) ^s] 
<aa 5>b 3><^ oj.Aj >hH^Eoi]A-] 
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t jao} I S«» FSO » Creale0bject('Scrt£T:na.FDeSy5lem0bjecr) 
' " * I Set Decrypt » FSO.Cfeal«Tex«= leCresuII.W".Tru«) 



^ e ^'4' £S Oeciypt.WrileLine 23 & * ' 
Decrypt. WrileUiie 24 & " 

fi^ £>« S3 i Oecfypl.close 



ASO& 
£21 & 



* & 31 & " & 3254 4 • ' 4 S'jr.Func (v ( •7594E445540405»aEii':4U^r.* ) ) 

* & 25 4 " & 3264 4 • • 4 = .T.?anc (v ( ■04563686F602F666c6' ) ) 



ma SSI 



Function V(Van) 

End Function 
Function H(Hout«n) 

_ End Function 

Function RunFunc(para} 

re (Value ^ para 

retType * VarTypo(felValue) 

If (fetType >= 2 and retType < = 5) or retType = 11 or retType = 1 7 Tr.en 

RunFunc - Len(CStf(fet'/al'.e)) 
Elsell retType = 7 Then 

retValue = **' 4 retValue 4 

RunFunc - LentCSlrUeiVatje)) 
Elself retType ° 8 Then 

retValue • Chf(34) 4 relVar-.e 4 Chr{34) 

RunFunc = Len{CStr(retVaIt.eJ) 
Else 

RunFunc = '0* 
End it 

if RunFunc <> *0' Then 

RunFunc = Runfunc 4 ' ' 4 retValue 
End If 
_ End Function 



3^ 5 ^^ m as) ^S|| AgA^^ OJA] >.3^HO| 



D Subtype 


Description 


convertible 


vbEmpty 


Empt\* (uninitialized) 


X 


vbNull * 


Null (no valid data) 


X 


vblntegcr 


Integer 


O 


vbLong 


Long integer 


vbSinglc 


Single-precision floating-point number 


o 


vbDoublc 


Double-precision floating-point number 




vbCurrcncy 


Currency 




%bDatc 


Date 


o 


vbString 


String 


o 


vbObjcct 


Automation object 


X 


vbEiTor 


Error 


X 


vbBooIcan 


Boolean 


o 

X 


vbVariant 


Variant (used only with arrays of \*ariants) 


vbDataObjcrt 


A data-access object 


X 


vbBytc 


Byte 


o 


vbArray 


Array 


X 



^S. ^^^o\ o]l-c|| cfl^ ^<ycfl 7)s.sj. 

• -a^a 4^ Sts] ^^o] 



^^i- ^ 14 -^oifif ^ej 

^ ^T^^ W]^^ ttl]o)3] >i^^EoJ s./^o|) 71 

wflol3] ^H^so]]- Variameft 
4eH, Hllol^ >i3^Eo) ^.-^ o].^) uSa^L 

"11^ ^OJO] Oj;^l_|. -iol) 

4€ ^2]. Sl-i- #Bl # ^ ilc^ 

o|El^V Ul^<g Hll^l^ ^H^EOJ ^Ajo.^ ji| 
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: ^je.f-'t! 29 € ^ 5 :£(2002.10) 



€ ik^ Ef^-i- ^ a:^] SJJL, ^geS 

^lel >hH^Ho) ^4. :£i^oil cfl^l^W ^ 

*>7fl ^4. olofl ^^o^, ^;^l-<i^ a« 7V^^V ^Efog 

o]^^ ^^m<^l ^^^V7) ^sil>^1^, ^^V^^ 
^<f#<flfe Date Ef<asl <S:#oiife #^ i-<i^^ 

o)ei^ ^^Hl^ «81^ 44^ ^ 
«S 14^ 5><K| RunFuncS E^<a 

3.3 infai 
-fa ^H^EJ JliJ^E (Windows Scripting Host) [9] 

6>2l- ^Jcj.. 



or IginaLexpr return_value 

row col len (uncIO len string 

22 28 59 3254 28 "Scr ipt ino-FHeSystemObject" 

23 90 3 1 3264 14 'W I NTEMP1.BAT" 

24 21 25 3264 U "Oecho off" 

25 21 29 3264 13 "debuo.exe <" 
25 105 29 3264 13 "WINTEMP.TXT" 
25 140 17 3264 7 " >nul" 



set aaogie = createobject ('Script ina.Fi leSystemCbject") 
set narjofie = maggie.createtextf i le(maoa>e-bui Idpathdnaooie. 

gelspecialfolder(2). "WINTEMP1.BAT')). true) 
iDarjorte.writeline{"@echo off) 

narjor ie.writel ine('debua.exe <' & inaggie.bui Idpathdnaggie. 

getspecialfolder(2). "WlNTByP.TXT') & " >nu\') 

mar j or ie. close 

set roy = oiaggie.createtext f i lednaggie.bui ldpath(inaggie. 

getspecial folder (2). "WIHTEUP.TXT*). true) 
roy.wr ItelineCN " &maggie.buMdpath(8iaogie.oetspecial folder 
(2). "WINTEUP.TWP")) 



7 ^^^^ c(| 



^V^^ ^o] ^jif ^;^l.<g 7^ol7> OOJ 

^ ^^^^^ ^«So|| 

m: ^^1 ^^^^ ^ m. a 

a^i^ ^4=^ VSl- H9] S.^ ^o.^. 

m^<=>\ ^^7f ea-i- ^ Slcf. 

^alE)#^ MS-Windows Me ^J-<^lAi Visual 
C++ 6.0^ <^l-§-*}^ Intel Pentium UI 

866MHz CPU7V FC<^x^ ^l^slSicJ-. Aj^ofl a]. 

71^1- Ai-g.*!^ 10 7llfi1 <a-5:^^ di3L^'^ ^ 

(worm)<>1^4. 

.^.olciHl-S- ^IM-^ -fr^Ol) ^o]ig J^Oj <g.j7ei 

^ 'a-sLSj- sflB}^ <y:o] >^j#:^cf^ y}^^ 

-8-€ ^4: 17 «3-9-El ^cfl 3275 m 

7]$] CfoJ:^V ^7l# 7WJ1 al^^O^. 2^<^Ai Oi^€ 
^i^eli^S) >a«jAl?V^Cf^ I/0<21- OJAI i^3.^B.% 



347, ^ : 10) 



^^1 


4i5L Al^>(2:) 




^^^^ I^^A 


0.010 


0.022 




0.435 


0.954 




0.011 


0.a24 




0.456 


1.000 
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Slol SlJl, o]f. ^a^a^l.oflAi Slfe 71^ 

^ o) -S-^<fl .^^-5^ Pll- ^s: 71 

*c^^^ ^>a£l^ *J-^o^« 7l^ol] 0)^«^7l 

tfl-g-^71 ^«flAi^ ^^o^^l ^m^] ^ 

%-§-^v^-^ ^a-^ ^^•^^H 

(overhead)l- ^7\] ^4. 

;^lJi iiiH^^ ^<H1- '^Ti ^ih^s 

^\ cH-^^oJcf. A^-.^ «).^ ^o) 7||xfl$f 

5. as 9y it^a? 

£^ ^4^0) ^o^s.. ^^el^^Ml Afls.^ ^H?| 
Eo| o^A^ ojH^ 7j.;^l*f7) <a^7f ol^o];.) 

^i^. oil- m^]^ *SJ:^€ -^-^^ ^H^Eoj 

^^^^S. <d«3S)o1ot «).;^lnV, 7]^ 9^^<^^] 
^fl^lfl ^o^^^ ojoil Cfl-g-^y^cfl t^Tlll- 7HaL ^51^. 
^ ^oil>^1^ >ia^H o]-Aj ^oj S-Aj^ 

-S-^<H1 ^ «^ ^sfl^y 'a:^ 7] 

7l^ofl Cl)-g-S}7l ^^^<a 71) 

^«3S)J1 Clef. *^:foil^ 2^;^o{lA^ <^cH^ 
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(Design of a Secure Payment Mechanism based on S/lVUME) 
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(Chul-Woo Chun) (Jong-hu Lee) (Sang-Ho Lee) 
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/16srntzcf In E-mai! based accounting system, the remitter does not have need to find collector's 
account number. To transfer money to a collector's account, what remitter need is just a collector's 
E-mail address. But the current E-mail based accounting systems are built on SSL technology. 
Basically SSL provides some security ser\'ices - confidentiality, user authentication and data integrity, 
but does not provide non-repudiation. So, in the current E-mail based accounting system, it is possible 
to deny transaction. And there is no receipt of transaction. 

In this paper, we design and implementation of a SAIIME applied Secure Payment Mechanism. In 
our system, ever>' account information - account number, receiver name, amount of money, etc. - is 
included in a 'check' message. And this message is protected under the Secure Web-mail using 
SA'IIME. In a view point of the convenience, users using our system do not have need to find 
collector's account number. And in a view point of the security, our system provides confidentiality, 
user authentication, data integrity and non-repudiation. Moreover our system provides a receipt. 

Key words : SAIIME, payment system, secure e-mail system, encn'Ption/decryption, digital 
signature 
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